Detections of multi-stage phishing attacks known as “hybrid vishing” increased by more than 600% between the first and second quarters of 2022, as fraudsters seek new ways to circumvent traditional security controls, according to Agari.
The security provider Quarterly Trends and Threat Intelligence Report for the period was conducted with PhishLabs and based on the analysis of hundreds of thousands of phishing and social media attacks against companies, employees and brands.
“Hybrid vishing threats are multi-stage attacks that differ from traditional vishing by first interacting with the victim via email,” the report explained. “The actor includes a cell phone number in the body of the email as a decoy, which is designed to trick the victim into calling and submitting sensitive information to a fake representative.”
Vishing attacks, or phone phishing, accounted for a quarter (25%) of so-called “response-based” scams analyzed in the report. The other types in this category were 419 scams (54%), business email compromise (16%), and employment scams (5%).
Together, these response-based attacks now account for two-fifths (41%) of email-delivered threats, up 3.5% from the previous quarter and representing the highest share since 2020. identifiers (55%) and spreading malware (5%) round out the other types of corporate email threats.
Interestingly, nearly three-quarters (73%) of BEC attacks in Q2 were launched using free webmail services, a 3% increase from Q1 figures. In contrast, those using spoofed or hacked domains accounted for only a quarter (27%) of attack volume. Gmail (72%) was the most used email service.
This would seem to suggest that simpler tactics still work, despite greater user awareness around BEC than a year ago.
This lines up somewhat with data from Kaspersky in February, which showed an increase in detections of BEC-as-a-service commodity campaigns exploiting free email accounts and using vague payment requests.
The bottom line for organizations is that social engineering still represents one of their biggest security risks – a risk that will require ongoing changes in awareness programs and technical controls.